How two underground entities surfaced, battled, aligned, and ultimately extracted billions from some of the world’s largest financial institutions via unsuspecting, everyday banking client victims

I recently had the opportunity to speak with two representatives from the Netherlands-based security research firm Fox-IT—Maurits Lucas, InTELL Business Director, and Andy Chandler, VP of WW Sales & Marketing. Collectively, the two shared an in-depth story of cybergang warfare suitable for Hollywood.

As the events unfolded through their words, I quickly began to see into the business minds of the cybercriminals they described. Even more interesting to me was that a cyberbusiness was actually being created and an entirely new market was being defined. This piece provides a glimpse into how the cybercriminals used business best practices to rake in the cash.

The start-up

Our business case begins in 2006 and is rooted in technology. On the surface, this business case could sound like any other presented by one of the top universities, where the subject business is created from a well-balanced mix of supply & demand, driven by revenue, enabled by innovation, and rife with competition. However, this story isn’t about your traditional mainstream commercial business. Instead, it is one of a lucrative underground cybercrime business.

Commercializing the POC

The proof of concept (POC) for the new business began with the creation, introduction, and successful use of a man-in-the-browser (MitB) malware kit that formed a botnet specifically targeting financial institutions. Victims were typically companies or wealthy individuals with large amounts of cash periodically available in their bank accounts—for example, funds transferred to a specific account to pay the wages of their employees.

The malware itself was designed to first attach itself to the host browser, allowing it to modify any Web page it wanted to before rendering it to the user. Once hooked to the browser, the malware would insert additional code (a botnet) into the banking website page(s) the user visited.

This isn’t the scary stuff, however. The real payload comes when the botnet leverages its newly-formed connection to the banking systems located on the other side of the browser as a channel through which it can insert the real attack—the insertion of monetary transaction code that essentially creates a digital money mule.

Zbot, now publicly referred to as ZeuS, was the first appearance of such a malicious botnet, complete with phone-home and command & control service management. Its creator, known on underground channels as Slavik, sold the industry’s original malware kit on the cyber underground for a going rate of $8K. Slavik’s proof-of-concept turned out to work extremely well; he made a lot of money and some of his customers made even more money by launching some serious online banking attacks using the malware kit he created and sold.

As the new market grew, the question for the business eventually became one of scale, margins—and greed.

I spy some competition

It took three years for a new version of the ZeuS botnet to surface. In 2009 ZeuS version 2 appeared, adding a tremendous amount of new functionality to the product. ZeuS v2 was more robust, capable of handling take-downs better, and included new features such as the ability to monitor network traffic, capture screen shots, record the victim’s keystrokes, steal certificates, and even connect to other systems using the victim’s IP address. New versions signaled success: A business had been born.

As with most businesses, the exposure and recognition of success spurs the introduction of new offerings from one or more competitors. While the business of cybercrime is neither legal nor moral, it happens to be no different from a legitimate business in this sense. So, as you can imagine, as Slavik created and established this new bot-based banking fraud market, at least one viable competitor would surface. And it did.

The first competing product, SpyEye, was authored by someone using the underground aliases Gribodemon and Harderman. While the first versions of this malware were laughably bad—meaning they often failed to run and would even blue-screen-of-death the host victim’s computer—these kits only cost $400. This was a huge slash in price compared to the $8K charged by Slavik for his ZeuS malware kit.

With its aggressive pricing, the market took notice of SpyEye. The revenue generated by SpyEye was seemingly re-invested by Gribodemon to quickly improve the software, and the competing product soon started to gain market share—even after Gribodemon found he could successfully increase the price of his kit from $400 to $1K.

As its foothold solidified and the SpyEye software became more mature, its author began to get extremely aggressive in other areas of the business. Gribodemon went directly after the ZeuS market share, looking for complete domination. A fierce battle ensued.

One example of a traditional tactic used by SpyEye was a competitive takeout. Gribodemon’s goal was not only to just win net new customers but also to replace existing ZeuS customers. Gribodemon built his SpyEye malware kit such that, upon successful injection of the botnet into the host browser, it would check for the existence of the ZeuS botnet and remove it, essentially taking over the system and all banking accounts previously compromised by ZeuS.

In true business form, Slavik responded in kind with updates to his Zeus kit. Another example of a traditional business tactic applied by SpyEye was one of a competitive migration. Gribodemon delivered a feature in SpyEye called “Spy Config” that extracts the configuration defined in the ZeuS malware kit, loads it into the SpyEye configuration, and provides additional documentation on how to leverage the ZeuS configurations.

With the configuration mapping and education complete, SpyEye’s users would know how to follow the ZeuS injector; they would also have a clear view into what ZeuS was up to and what to do with the system, connections, and accounts. Most everyone interested in the SpyEye kit knew how to read ZeuS malware configurations. This feature made it extremely easy for customers to switch from the ZeuS malware kit to the SpyEye malware kit.

Caution: Lanes merging

Having not seen any updates for quite some time, the market found the ZeuS malware kit sitting at v2.0.8.9 in October 2010. On the underground forums, announcements surfaced from both of these fierce competitors— Slavik and Gribodemon—claiming that further development of ZeuS and SpyEye would cease as individual offerings and that Slavik’s ZeuS business was to be handed over and merged in to Gribodemon’s SpyEye business. This, as you could imagine, sent the market into a frenzy.

While the market still saw some unofficial versions of the kit surface and then disappear after October 2010, this was more likely the case of the Zeus source code being used by some of Slavik’s close friends—not the result of a successful partnership or business merger. The merger appears to have never really materialized—at least in a substantial, official way. It’s safe to say, the SEC certainly didn’t publicly sanction any merger.

In 2011, the entire set of ZeuS source code leaked, likely due to Slavik having handed the source to some of his not-so-careful customers/friends. This proved to be a very interesting period both in the cybercrime market and in the cybersecurity industry; now, anyone could develop their own MitB malware kit, modify the kit, and create nuances or even new families of the kit. Fox-IT saw open source MitB products become real solutions in their own right—Ice-IX and Citadel being two examples.

On the other side of the coin, some variants tried to improve upon the original ZeuS encryption methods but failed miserably. While all this is going on with ZeuS, SpyEye was still on the scene, though the development of the kit also started to falter. Eventually the market would see the introduction of SpyEye v1.3.4.8. This would be the last version of SpyEye to appear, and Gribodemon was never to be heard from again.

The researchers at Fox-IT kept following Slavik and discovered that he had in fact given his crown jewels to Gribodemon. But while it appeared on the surface that Slavik had given up on ZeuS and the business of cybercrime, this was far from the case. In fact, Slavik had some clever business plans up his sleeve.

Thanks for the gift horse

As it turns out, Slavik had been working on a new version of ZeuS all along, a version that would equate to a ZeuS v2.1. This new version, however, was never sold by Slavik as a kit. Nor was this new version ever delivered to Gribodemon. As he transitioned the source code to v2.1, Slavik re-defined the market, converting his perpetual license software and business model into one based on a subscription model delivered via the cloud. ZeuS v2.1, which became v3 in September 2011, became the first online banking malware to be offered as a service—the industry’s first “malware as a service” (MaaS).

With this new release, ZeuS v3 also included peer-to-peer as a command and control protocol—and Slavik began referring to his new ZeuS v3 creation as P2PZeuS. Suddenly, the real reasons behind the silence in development and competition-turned-coopetition became evident: Slavik was tired of selling software as a kit. As more and more people joined his client base, the more time he had to spend supporting them.

According to underground chatter analyzed by Fox-IT, some of the people purchasing his kit had no clue as to what they were doing; their attacks would fail and they would blame Slavik’s software. Slavik was forced to go underground to undo the damage caused by these claims, turning the blame back around to the “idiotic” customers. It is suspected that this was extremely time-consuming, exhausting, and left Slavik susceptible to attack and piracy.

With his new MaaS business model, Slavik could own the infrastructure and control how the software was used. In this environment, his customers were less likely to make mistakes and less likely to lash out at Slavik and his wares. It turns out that the Gribodemon hand-off of the perpetual kit was simply a way for Slavik to transfer the ongoing, overwhelmingly-expensive support for the ZeuS kit over to Gribodemon—so Slavik could focus on his new business model.

With the new service up and running, Slavik didn’t join Gribodemon as described underground. Instead, he became part of a gang using P2PZeuS to go after high-value accounts. Fox-IT has some individual examples where the gang handed some large amounts. In September 2012, there was an attempt to steal $465K from a small US company and send the fund to an account in a Chinese bank.

In a second example, also from September 2012, a US printing company was hit by an attempt for no less than $2M—with plans for the money to be transferred (presumably through Cyprus) back to the gang. Fox-IT also found information supporting the theory that large attempts like these were tried more often around that date. For both examples, Fox-IT can’t confirm if they were ultimately successful.

However, it is known that P2PZeuS was successful in pulling off many heists like these. With large sums like these in the cards, Slavik made more money as part of the gang than he could have by selling and supporting his malware kit on the black market. Slavik benefitted tremendously through his decision to steal away to work on P2PZeuS and to use it himself with his gang while also renting it out to friends and family.

By moving away from the ZeuS kit, Slavik also alleviated the unwelcome attention associated with the underground chatter. Perhaps worth more than the cost savings associated with eliminating the support efforts was the hand-off of the FBI-oriented attention to this cybercriminal activity. Gribodemon may have done well to look a little closer at the mouth of that gift horse. Since the transfer of the kit and the added attention from the FBI transferred to Gribodemon, the market has no longer seen anything from Gribodemon. He is no longer active on the scene; it is presumed he has retired—or vanished.

Riding the horse of greed across the finish line

In 2012, a new Trojan appeared on the scene. Trusteer analyzed the loader component of the Trojan and found it was very similar to the loader component contained within Silon. Since T comes after S, this new Trojan became known as Tilon.

In the fall of 2013, Fox-IT gained access to the infrastructure and source code for Tilon. After deeper analysis of the Trojan and its supporting infrastructure, it turns out that the loader component was the only piece to be derived from Silon. The core of the Tilon solution is actually a re-worked, further-developed version of SpyEye— a SpyEye version 2 now offered as, you guessed it, a managed service.